Menu

#2 Colons in attributes

open-accepted
Ulf Harnhammar
None
3
2005-04-23
2003-09-14
Ulf Harnhammar
No

Currently, kses doesn't handle colons in some attributes
well. In many cases, it thinks that they are a part of a
URL, and starts removing stuff with the whitelisting URL
function. This is bad, for attributes that don't take URLs.

It should be possible to switch on and off the
whitelisting URL protocol thing, to avoid this problem.

Discussion

  • Ulf Harnhammar

    Ulf Harnhammar - 2003-09-14
    • status: open --> open-accepted
     

  • Ulf Harnhammar

    Ulf Harnhammar - 2005-04-23
    • assigned_to: nobody --> metaur
     

  • nobunobu

    nobunobu - 2005-10-08

    Logged In: YES
    user_id=1270173

    For handling "stlye" attributes(it requires colons in it's
    value) in kses,
    I change a kses_hair() function with following way.

    find following lines (3 lines may be found)

    $thisval = kses_bad_protocol($match[1], $allowed_protocols);

    Replace these lines to following lines.

    if (strcasecmp($attrname,'style') != 0) { //hacked by
    NobuNobu for handling style attribute;
    $thisval = kses_bad_protocol($match[1], $allowed_protocols);
    } else {
    $thisval =
    preg_replace('/(^|;)\s*expression\s*\(/i','\\1XXexpressionXX(',$match[1]);

    To avoid executing invalid javascript in style attribute, I
    change "expression() " to "XXexpressionXX()".
    (because I could not find any regex to determine the end of
    "expression()".)

     

  • Nobody/Anonymous

    Nobody/Anonymous - 2005-12-07

    Logged In: NO

    I'm getting "padding:" stripped out from the style tag. Is
    there a workaround or fix for this?

     

Log in to post a comment.